1 /*- 2 * Copyright (c) 2016 Yandex LLC 3 * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org> 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include <sys/cdefs.h> 29 __FBSDID("$FreeBSD$"); 30 31 #include <sys/param.h> 32 #include <sys/systm.h> 33 #include <sys/counter.h> 34 #include <sys/eventhandler.h> 35 #include <sys/errno.h> 36 #include <sys/kernel.h> 37 #include <sys/lock.h> 38 #include <sys/malloc.h> 39 #include <sys/mbuf.h> 40 #include <sys/module.h> 41 #include <sys/rmlock.h> 42 #include <sys/rwlock.h> 43 #include <sys/socket.h> 44 #include <sys/queue.h> 45 #include <sys/syslog.h> 46 #include <sys/sysctl.h> 47 48 #include <net/if.h> 49 #include <net/if_var.h> 50 #include <net/netisr.h> 51 #include <net/pfil.h> 52 #include <net/vnet.h> 53 54 #include <netinet/in.h> 55 #include <netinet/ip_var.h> 56 #include <netinet/ip_fw.h> 57 #include <netinet/ip6.h> 58 #include <netinet/icmp6.h> 59 #include <netinet6/in6_var.h> 60 #include <netinet6/ip6_var.h> 61 62 #include <netpfil/ipfw/ip_fw_private.h> 63 #include <netpfil/ipfw/nptv6/nptv6.h> 64 65 VNET_DEFINE_STATIC(uint16_t, nptv6_eid) = 0; 66 #define V_nptv6_eid VNET(nptv6_eid) 67 #define IPFW_TLV_NPTV6_NAME IPFW_TLV_EACTION_NAME(V_nptv6_eid) 68 69 static eventhandler_tag nptv6_ifaddr_event; 70 71 static struct nptv6_cfg *nptv6_alloc_config(const char *name, uint8_t set); 72 static void nptv6_free_config(struct nptv6_cfg *cfg); 73 static struct nptv6_cfg *nptv6_find(struct namedobj_instance *ni, 74 const char *name, uint8_t set); 75 static int nptv6_rewrite_internal(struct nptv6_cfg *cfg, struct mbuf **mp, 76 int offset); 77 static int nptv6_rewrite_external(struct nptv6_cfg *cfg, struct mbuf **mp, 78 int offset); 79 80 #define NPTV6_LOOKUP(chain, cmd) \ 81 (struct nptv6_cfg *)SRV_OBJECT((chain), (cmd)->arg1) 82 83 #ifndef IN6_MASK_ADDR 84 #define IN6_MASK_ADDR(a, m) do { \ 85 (a)->s6_addr32[0] &= (m)->s6_addr32[0]; \ 86 (a)->s6_addr32[1] &= (m)->s6_addr32[1]; \ 87 (a)->s6_addr32[2] &= (m)->s6_addr32[2]; \ 88 (a)->s6_addr32[3] &= (m)->s6_addr32[3]; \ 89 } while (0) 90 #endif 91 #ifndef IN6_ARE_MASKED_ADDR_EQUAL 92 #define IN6_ARE_MASKED_ADDR_EQUAL(d, a, m) ( \ 93 (((d)->s6_addr32[0] ^ (a)->s6_addr32[0]) & (m)->s6_addr32[0]) == 0 && \ 94 (((d)->s6_addr32[1] ^ (a)->s6_addr32[1]) & (m)->s6_addr32[1]) == 0 && \ 95 (((d)->s6_addr32[2] ^ (a)->s6_addr32[2]) & (m)->s6_addr32[2]) == 0 && \ 96 (((d)->s6_addr32[3] ^ (a)->s6_addr32[3]) & (m)->s6_addr32[3]) == 0 ) 97 #endif 98 99 #if 0 100 #define NPTV6_DEBUG(fmt, ...) do { \ 101 printf("%s: " fmt "\n", __func__, ## __VA_ARGS__); \ 102 } while (0) 103 #define NPTV6_IPDEBUG(fmt, ...) do { \ 104 char _s[INET6_ADDRSTRLEN], _d[INET6_ADDRSTRLEN]; \ 105 printf("%s: " fmt "\n", __func__, ## __VA_ARGS__); \ 106 } while (0) 107 #else 108 #define NPTV6_DEBUG(fmt, ...) 109 #define NPTV6_IPDEBUG(fmt, ...) 110 #endif 111 112 static int 113 nptv6_getlasthdr(struct nptv6_cfg *cfg, struct mbuf *m, int *offset) 114 { 115 struct ip6_hdr *ip6; 116 struct ip6_hbh *hbh; 117 int proto, hlen; 118 119 hlen = (offset == NULL) ? 0: *offset; 120 if (m->m_len < hlen) 121 return (-1); 122 ip6 = mtodo(m, hlen); 123 hlen += sizeof(*ip6); 124 proto = ip6->ip6_nxt; 125 while (proto == IPPROTO_HOPOPTS || proto == IPPROTO_ROUTING || 126 proto == IPPROTO_DSTOPTS) { 127 hbh = mtodo(m, hlen); 128 if (m->m_len < hlen) 129 return (-1); 130 proto = hbh->ip6h_nxt; 131 hlen += (hbh->ip6h_len + 1) << 3; 132 } 133 if (offset != NULL) 134 *offset = hlen; 135 return (proto); 136 } 137 138 static int 139 nptv6_translate_icmpv6(struct nptv6_cfg *cfg, struct mbuf **mp, int offset) 140 { 141 struct icmp6_hdr *icmp6; 142 struct ip6_hdr *ip6; 143 struct mbuf *m; 144 145 m = *mp; 146 if (offset > m->m_len) 147 return (-1); 148 icmp6 = mtodo(m, offset); 149 NPTV6_DEBUG("ICMPv6 type %d", icmp6->icmp6_type); 150 switch (icmp6->icmp6_type) { 151 case ICMP6_DST_UNREACH: 152 case ICMP6_PACKET_TOO_BIG: 153 case ICMP6_TIME_EXCEEDED: 154 case ICMP6_PARAM_PROB: 155 break; 156 case ICMP6_ECHO_REQUEST: 157 case ICMP6_ECHO_REPLY: 158 /* nothing to translate */ 159 return (0); 160 default: 161 /* 162 * XXX: We can add some checks to not translate NDP and MLD 163 * messages. Currently user must explicitly allow these message 164 * types, otherwise packets will be dropped. 165 */ 166 return (-1); 167 } 168 offset += sizeof(*icmp6); 169 if (offset + sizeof(*ip6) > m->m_pkthdr.len) 170 return (-1); 171 if (offset + sizeof(*ip6) > m->m_len) 172 *mp = m = m_pullup(m, offset + sizeof(*ip6)); 173 if (m == NULL) 174 return (-1); 175 ip6 = mtodo(m, offset); 176 NPTV6_IPDEBUG("offset %d, %s -> %s %d", offset, 177 inet_ntop(AF_INET6, &ip6->ip6_src, _s, sizeof(_s)), 178 inet_ntop(AF_INET6, &ip6->ip6_dst, _d, sizeof(_d)), 179 ip6->ip6_nxt); 180 if (IN6_ARE_MASKED_ADDR_EQUAL(&ip6->ip6_src, 181 &cfg->external, &cfg->mask)) 182 return (nptv6_rewrite_external(cfg, mp, offset)); 183 else if (IN6_ARE_MASKED_ADDR_EQUAL(&ip6->ip6_dst, 184 &cfg->internal, &cfg->mask)) 185 return (nptv6_rewrite_internal(cfg, mp, offset)); 186 /* 187 * Addresses in the inner IPv6 header doesn't matched to 188 * our prefixes. 189 */ 190 return (-1); 191 } 192 193 static int 194 nptv6_search_index(struct nptv6_cfg *cfg, struct in6_addr *a) 195 { 196 int idx; 197 198 if (cfg->flags & NPTV6_48PLEN) 199 return (3); 200 201 /* Search suitable word index for adjustment */ 202 for (idx = 4; idx < 8; idx++) 203 if (a->s6_addr16[idx] != 0xffff) 204 break; 205 /* 206 * RFC 6296 p3.7: If an NPTv6 Translator discovers a datagram with 207 * an IID of all-zeros while performing address mapping, that 208 * datagram MUST be dropped, and an ICMPv6 Parameter Problem error 209 * SHOULD be generated. 210 */ 211 if (idx == 8 || 212 (a->s6_addr32[2] == 0 && a->s6_addr32[3] == 0)) 213 return (-1); 214 return (idx); 215 } 216 217 static void 218 nptv6_copy_addr(struct in6_addr *src, struct in6_addr *dst, 219 struct in6_addr *mask) 220 { 221 int i; 222 223 for (i = 0; i < 8 && mask->s6_addr8[i] != 0; i++) { 224 dst->s6_addr8[i] &= ~mask->s6_addr8[i]; 225 dst->s6_addr8[i] |= src->s6_addr8[i] & mask->s6_addr8[i]; 226 } 227 } 228 229 static int 230 nptv6_rewrite_internal(struct nptv6_cfg *cfg, struct mbuf **mp, int offset) 231 { 232 struct in6_addr *addr; 233 struct ip6_hdr *ip6; 234 int idx, proto; 235 uint16_t adj; 236 237 ip6 = mtodo(*mp, offset); 238 NPTV6_IPDEBUG("offset %d, %s -> %s %d", offset, 239 inet_ntop(AF_INET6, &ip6->ip6_src, _s, sizeof(_s)), 240 inet_ntop(AF_INET6, &ip6->ip6_dst, _d, sizeof(_d)), 241 ip6->ip6_nxt); 242 if (offset == 0) 243 addr = &ip6->ip6_src; 244 else { 245 /* 246 * When we rewriting inner IPv6 header, we need to rewrite 247 * destination address back to external prefix. The datagram in 248 * the ICMPv6 payload should looks like it was send from 249 * external prefix. 250 */ 251 addr = &ip6->ip6_dst; 252 } 253 idx = nptv6_search_index(cfg, addr); 254 if (idx < 0) { 255 /* 256 * Do not send ICMPv6 error when offset isn't zero. 257 * This means we are rewriting inner IPv6 header in the 258 * ICMPv6 error message. 259 */ 260 if (offset == 0) { 261 icmp6_error2(*mp, ICMP6_DST_UNREACH, 262 ICMP6_DST_UNREACH_ADDR, 0, (*mp)->m_pkthdr.rcvif); 263 *mp = NULL; 264 } 265 return (IP_FW_DENY); 266 } 267 adj = addr->s6_addr16[idx]; 268 nptv6_copy_addr(&cfg->external, addr, &cfg->mask); 269 adj = cksum_add(adj, cfg->adjustment); 270 if (adj == 0xffff) 271 adj = 0; 272 addr->s6_addr16[idx] = adj; 273 if (offset == 0) { 274 /* 275 * We may need to translate addresses in the inner IPv6 276 * header for ICMPv6 error messages. 277 */ 278 proto = nptv6_getlasthdr(cfg, *mp, &offset); 279 if (proto < 0 || (proto == IPPROTO_ICMPV6 && 280 nptv6_translate_icmpv6(cfg, mp, offset) != 0)) 281 return (IP_FW_DENY); 282 NPTV6STAT_INC(cfg, in2ex); 283 } 284 return (0); 285 } 286 287 static int 288 nptv6_rewrite_external(struct nptv6_cfg *cfg, struct mbuf **mp, int offset) 289 { 290 struct in6_addr *addr; 291 struct ip6_hdr *ip6; 292 int idx, proto; 293 uint16_t adj; 294 295 ip6 = mtodo(*mp, offset); 296 NPTV6_IPDEBUG("offset %d, %s -> %s %d", offset, 297 inet_ntop(AF_INET6, &ip6->ip6_src, _s, sizeof(_s)), 298 inet_ntop(AF_INET6, &ip6->ip6_dst, _d, sizeof(_d)), 299 ip6->ip6_nxt); 300 if (offset == 0) 301 addr = &ip6->ip6_dst; 302 else { 303 /* 304 * When we rewriting inner IPv6 header, we need to rewrite 305 * source address back to internal prefix. The datagram in 306 * the ICMPv6 payload should looks like it was send from 307 * internal prefix. 308 */ 309 addr = &ip6->ip6_src; 310 } 311 idx = nptv6_search_index(cfg, addr); 312 if (idx < 0) { 313 /* 314 * Do not send ICMPv6 error when offset isn't zero. 315 * This means we are rewriting inner IPv6 header in the 316 * ICMPv6 error message. 317 */ 318 if (offset == 0) { 319 icmp6_error2(*mp, ICMP6_DST_UNREACH, 320 ICMP6_DST_UNREACH_ADDR, 0, (*mp)->m_pkthdr.rcvif); 321 *mp = NULL; 322 } 323 return (IP_FW_DENY); 324 } 325 adj = addr->s6_addr16[idx]; 326 nptv6_copy_addr(&cfg->internal, addr, &cfg->mask); 327 adj = cksum_add(adj, ~cfg->adjustment); 328 if (adj == 0xffff) 329 adj = 0; 330 addr->s6_addr16[idx] = adj; 331 if (offset == 0) { 332 /* 333 * We may need to translate addresses in the inner IPv6 334 * header for ICMPv6 error messages. 335 */ 336 proto = nptv6_getlasthdr(cfg, *mp, &offset); 337 if (proto < 0 || (proto == IPPROTO_ICMPV6 && 338 nptv6_translate_icmpv6(cfg, mp, offset) != 0)) 339 return (IP_FW_DENY); 340 NPTV6STAT_INC(cfg, ex2in); 341 } 342 return (0); 343 } 344 345 /* 346 * ipfw external action handler. 347 */ 348 static int 349 ipfw_nptv6(struct ip_fw_chain *chain, struct ip_fw_args *args, 350 ipfw_insn *cmd, int *done) 351 { 352 struct ip6_hdr *ip6; 353 struct nptv6_cfg *cfg; 354 ipfw_insn *icmd; 355 int ret; 356 357 *done = 0; /* try next rule if not matched */ 358 ret = IP_FW_DENY; 359 icmd = cmd + 1; 360 if (cmd->opcode != O_EXTERNAL_ACTION || 361 cmd->arg1 != V_nptv6_eid || 362 icmd->opcode != O_EXTERNAL_INSTANCE || 363 (cfg = NPTV6_LOOKUP(chain, icmd)) == NULL || 364 (cfg->flags & NPTV6_READY) == 0) 365 return (ret); 366 /* 367 * We need act as router, so when forwarding is disabled - 368 * do nothing. 369 */ 370 if (V_ip6_forwarding == 0 || args->f_id.addr_type != 6) 371 return (ret); 372 /* 373 * NOTE: we expect ipfw_chk() did m_pullup() up to upper level 374 * protocol's headers. Also we skip some checks, that ip6_input(), 375 * ip6_forward(), ip6_fastfwd() and ipfw_chk() already did. 376 */ 377 ip6 = mtod(args->m, struct ip6_hdr *); 378 NPTV6_IPDEBUG("eid %u, oid %u, %s -> %s %d", 379 cmd->arg1, icmd->arg1, 380 inet_ntop(AF_INET6, &ip6->ip6_src, _s, sizeof(_s)), 381 inet_ntop(AF_INET6, &ip6->ip6_dst, _d, sizeof(_d)), 382 ip6->ip6_nxt); 383 if (IN6_ARE_MASKED_ADDR_EQUAL(&ip6->ip6_src, 384 &cfg->internal, &cfg->mask)) { 385 /* 386 * XXX: Do not translate packets when both src and dst 387 * are from internal prefix. 388 */ 389 if (IN6_ARE_MASKED_ADDR_EQUAL(&ip6->ip6_dst, 390 &cfg->internal, &cfg->mask)) 391 return (ret); 392 ret = nptv6_rewrite_internal(cfg, &args->m, 0); 393 } else if (IN6_ARE_MASKED_ADDR_EQUAL(&ip6->ip6_dst, 394 &cfg->external, &cfg->mask)) 395 ret = nptv6_rewrite_external(cfg, &args->m, 0); 396 else 397 return (ret); 398 /* 399 * If address wasn't rewrited - free mbuf and terminate the search. 400 */ 401 if (ret != 0) { 402 if (args->m != NULL) { 403 m_freem(args->m); 404 args->m = NULL; /* mark mbuf as consumed */ 405 } 406 NPTV6STAT_INC(cfg, dropped); 407 *done = 1; 408 } else { 409 /* Terminate the search if one_pass is set */ 410 *done = V_fw_one_pass; 411 /* Update args->f_id when one_pass is off */ 412 if (*done == 0) { 413 ip6 = mtod(args->m, struct ip6_hdr *); 414 args->f_id.src_ip6 = ip6->ip6_src; 415 args->f_id.dst_ip6 = ip6->ip6_dst; 416 } 417 } 418 return (ret); 419 } 420 421 static struct nptv6_cfg * 422 nptv6_alloc_config(const char *name, uint8_t set) 423 { 424 struct nptv6_cfg *cfg; 425 426 cfg = malloc(sizeof(struct nptv6_cfg), M_IPFW, M_WAITOK | M_ZERO); 427 COUNTER_ARRAY_ALLOC(cfg->stats, NPTV6STATS, M_WAITOK); 428 cfg->no.name = cfg->name; 429 cfg->no.etlv = IPFW_TLV_NPTV6_NAME; 430 cfg->no.set = set; 431 strlcpy(cfg->name, name, sizeof(cfg->name)); 432 return (cfg); 433 } 434 435 static void 436 nptv6_free_config(struct nptv6_cfg *cfg) 437 { 438 439 COUNTER_ARRAY_FREE(cfg->stats, NPTV6STATS); 440 free(cfg, M_IPFW); 441 } 442 443 static void 444 nptv6_export_config(struct ip_fw_chain *ch, struct nptv6_cfg *cfg, 445 ipfw_nptv6_cfg *uc) 446 { 447 448 uc->internal = cfg->internal; 449 if (cfg->flags & NPTV6_DYNAMIC_PREFIX) 450 memcpy(uc->if_name, cfg->if_name, IF_NAMESIZE); 451 else 452 uc->external = cfg->external; 453 uc->plen = cfg->plen; 454 uc->flags = cfg->flags & NPTV6_FLAGSMASK; 455 uc->set = cfg->no.set; 456 strlcpy(uc->name, cfg->no.name, sizeof(uc->name)); 457 } 458 459 struct nptv6_dump_arg { 460 struct ip_fw_chain *ch; 461 struct sockopt_data *sd; 462 }; 463 464 static int 465 export_config_cb(struct namedobj_instance *ni, struct named_object *no, 466 void *arg) 467 { 468 struct nptv6_dump_arg *da = (struct nptv6_dump_arg *)arg; 469 ipfw_nptv6_cfg *uc; 470 471 uc = (ipfw_nptv6_cfg *)ipfw_get_sopt_space(da->sd, sizeof(*uc)); 472 nptv6_export_config(da->ch, (struct nptv6_cfg *)no, uc); 473 return (0); 474 } 475 476 static struct nptv6_cfg * 477 nptv6_find(struct namedobj_instance *ni, const char *name, uint8_t set) 478 { 479 struct nptv6_cfg *cfg; 480 481 cfg = (struct nptv6_cfg *)ipfw_objhash_lookup_name_type(ni, set, 482 IPFW_TLV_NPTV6_NAME, name); 483 484 return (cfg); 485 } 486 487 static void 488 nptv6_calculate_adjustment(struct nptv6_cfg *cfg) 489 { 490 uint16_t i, e; 491 uint16_t *p; 492 493 /* Calculate checksum of internal prefix */ 494 for (i = 0, p = (uint16_t *)&cfg->internal; 495 p < (uint16_t *)(&cfg->internal + 1); p++) 496 i = cksum_add(i, *p); 497 498 /* Calculate checksum of external prefix */ 499 for (e = 0, p = (uint16_t *)&cfg->external; 500 p < (uint16_t *)(&cfg->external + 1); p++) 501 e = cksum_add(e, *p); 502 503 /* Adjustment value for Int->Ext direction */ 504 cfg->adjustment = cksum_add(~e, i); 505 } 506 507 static int 508 nptv6_check_prefix(const struct in6_addr *addr) 509 { 510 511 if (IN6_IS_ADDR_MULTICAST(addr) || 512 IN6_IS_ADDR_LINKLOCAL(addr) || 513 IN6_IS_ADDR_LOOPBACK(addr) || 514 IN6_IS_ADDR_UNSPECIFIED(addr)) 515 return (EINVAL); 516 return (0); 517 } 518 519 static void 520 nptv6_set_external(struct nptv6_cfg *cfg, struct in6_addr *addr) 521 { 522 523 cfg->external = *addr; 524 IN6_MASK_ADDR(&cfg->external, &cfg->mask); 525 nptv6_calculate_adjustment(cfg); 526 cfg->flags |= NPTV6_READY; 527 } 528 529 /* 530 * Try to determine what prefix to use as external for 531 * configured interface name. 532 */ 533 static void 534 nptv6_find_prefix(struct ip_fw_chain *ch, struct nptv6_cfg *cfg, 535 struct ifnet *ifp) 536 { 537 struct epoch_tracker et; 538 struct ifaddr *ifa; 539 struct in6_ifaddr *ia; 540 541 MPASS(cfg->flags & NPTV6_DYNAMIC_PREFIX); 542 IPFW_UH_WLOCK_ASSERT(ch); 543 544 if (ifp == NULL) { 545 ifp = ifunit_ref(cfg->if_name); 546 if (ifp == NULL) 547 return; 548 } 549 NET_EPOCH_ENTER(et); 550 CK_STAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) { 551 if (ifa->ifa_addr->sa_family != AF_INET6) 552 continue; 553 ia = (struct in6_ifaddr *)ifa; 554 if (nptv6_check_prefix(&ia->ia_addr.sin6_addr) || 555 IN6_ARE_MASKED_ADDR_EQUAL(&ia->ia_addr.sin6_addr, 556 &cfg->internal, &cfg->mask)) 557 continue; 558 /* Suitable address is found. */ 559 nptv6_set_external(cfg, &ia->ia_addr.sin6_addr); 560 break; 561 } 562 NET_EPOCH_EXIT(et); 563 if_rele(ifp); 564 } 565 566 struct ifaddr_event_args { 567 struct ifnet *ifp; 568 const struct in6_addr *addr; 569 int event; 570 }; 571 572 static int 573 ifaddr_cb(struct namedobj_instance *ni, struct named_object *no, 574 void *arg) 575 { 576 struct ifaddr_event_args *args; 577 struct ip_fw_chain *ch; 578 struct nptv6_cfg *cfg; 579 580 ch = &V_layer3_chain; 581 cfg = (struct nptv6_cfg *)SRV_OBJECT(ch, no->kidx); 582 if ((cfg->flags & NPTV6_DYNAMIC_PREFIX) == 0) 583 return (0); 584 585 args = arg; 586 /* If interface name doesn't match, ignore */ 587 if (strncmp(args->ifp->if_xname, cfg->if_name, IF_NAMESIZE)) 588 return (0); 589 if (args->ifp->if_flags & IFF_DYING) { /* XXX: is it possible? */ 590 cfg->flags &= ~NPTV6_READY; 591 return (0); 592 } 593 if (args->event == IFADDR_EVENT_DEL) { 594 /* If instance is not ready, ignore */ 595 if ((cfg->flags & NPTV6_READY) == 0) 596 return (0); 597 /* If address does not match the external prefix, ignore */ 598 if (IN6_ARE_MASKED_ADDR_EQUAL(&cfg->external, args->addr, 599 &cfg->mask) != 0) 600 return (0); 601 /* Otherwise clear READY flag */ 602 cfg->flags &= ~NPTV6_READY; 603 } else {/* IFADDR_EVENT_ADD */ 604 /* If instance is already ready, ignore */ 605 if (cfg->flags & NPTV6_READY) 606 return (0); 607 /* If address is not suitable for prefix, ignore */ 608 if (nptv6_check_prefix(args->addr) || 609 IN6_ARE_MASKED_ADDR_EQUAL(args->addr, &cfg->internal, 610 &cfg->mask)) 611 return (0); 612 /* FALLTHROUGH */ 613 } 614 MPASS(!(cfg->flags & NPTV6_READY)); 615 /* Try to determine the prefix */ 616 if_ref(args->ifp); 617 nptv6_find_prefix(ch, cfg, args->ifp); 618 return (0); 619 } 620 621 static void 622 nptv6_ifaddrevent_handler(void *arg __unused, struct ifnet *ifp, 623 struct ifaddr *ifa, int event) 624 { 625 struct ifaddr_event_args args; 626 struct ip_fw_chain *ch; 627 628 if (ifa->ifa_addr->sa_family != AF_INET6) 629 return; 630 631 args.ifp = ifp; 632 args.addr = &((struct sockaddr_in6 *)ifa->ifa_addr)->sin6_addr; 633 args.event = event; 634 635 ch = &V_layer3_chain; 636 IPFW_UH_WLOCK(ch); 637 ipfw_objhash_foreach_type(CHAIN_TO_SRV(ch), ifaddr_cb, &args, 638 IPFW_TLV_NPTV6_NAME); 639 IPFW_UH_WUNLOCK(ch); 640 } 641 642 /* 643 * Creates new NPTv6 instance. 644 * Data layout (v0)(current): 645 * Request: [ ipfw_obj_lheader ipfw_nptv6_cfg ] 646 * 647 * Returns 0 on success 648 */ 649 static int 650 nptv6_create(struct ip_fw_chain *ch, ip_fw3_opheader *op3, 651 struct sockopt_data *sd) 652 { 653 struct in6_addr mask; 654 ipfw_obj_lheader *olh; 655 ipfw_nptv6_cfg *uc; 656 struct namedobj_instance *ni; 657 struct nptv6_cfg *cfg; 658 659 if (sd->valsize != sizeof(*olh) + sizeof(*uc)) 660 return (EINVAL); 661 662 olh = (ipfw_obj_lheader *)sd->kbuf; 663 uc = (ipfw_nptv6_cfg *)(olh + 1); 664 if (ipfw_check_object_name_generic(uc->name) != 0) 665 return (EINVAL); 666 if (uc->plen < 8 || uc->plen > 64 || uc->set >= IPFW_MAX_SETS) 667 return (EINVAL); 668 if (nptv6_check_prefix(&uc->internal)) 669 return (EINVAL); 670 in6_prefixlen2mask(&mask, uc->plen); 671 if ((uc->flags & NPTV6_DYNAMIC_PREFIX) == 0 && ( 672 nptv6_check_prefix(&uc->external) || 673 IN6_ARE_MASKED_ADDR_EQUAL(&uc->external, &uc->internal, &mask))) 674 return (EINVAL); 675 676 ni = CHAIN_TO_SRV(ch); 677 IPFW_UH_RLOCK(ch); 678 if (nptv6_find(ni, uc->name, uc->set) != NULL) { 679 IPFW_UH_RUNLOCK(ch); 680 return (EEXIST); 681 } 682 IPFW_UH_RUNLOCK(ch); 683 684 cfg = nptv6_alloc_config(uc->name, uc->set); 685 cfg->plen = uc->plen; 686 cfg->flags = uc->flags & NPTV6_FLAGSMASK; 687 if (cfg->plen <= 48) 688 cfg->flags |= NPTV6_48PLEN; 689 cfg->mask = mask; 690 cfg->internal = uc->internal; 691 IN6_MASK_ADDR(&cfg->internal, &mask); 692 if (cfg->flags & NPTV6_DYNAMIC_PREFIX) 693 memcpy(cfg->if_name, uc->if_name, IF_NAMESIZE); 694 else 695 nptv6_set_external(cfg, &uc->external); 696 697 if ((uc->flags & NPTV6_DYNAMIC_PREFIX) != 0 && 698 nptv6_ifaddr_event == NULL) 699 nptv6_ifaddr_event = EVENTHANDLER_REGISTER( 700 ifaddr_event_ext, nptv6_ifaddrevent_handler, NULL, 701 EVENTHANDLER_PRI_ANY); 702 703 IPFW_UH_WLOCK(ch); 704 if (ipfw_objhash_alloc_idx(ni, &cfg->no.kidx) != 0) { 705 IPFW_UH_WUNLOCK(ch); 706 nptv6_free_config(cfg); 707 return (ENOSPC); 708 } 709 ipfw_objhash_add(ni, &cfg->no); 710 SRV_OBJECT(ch, cfg->no.kidx) = cfg; 711 if (cfg->flags & NPTV6_DYNAMIC_PREFIX) 712 nptv6_find_prefix(ch, cfg, NULL); 713 IPFW_UH_WUNLOCK(ch); 714 715 return (0); 716 } 717 718 /* 719 * Destroys NPTv6 instance. 720 * Data layout (v0)(current): 721 * Request: [ ipfw_obj_header ] 722 * 723 * Returns 0 on success 724 */ 725 static int 726 nptv6_destroy(struct ip_fw_chain *ch, ip_fw3_opheader *op3, 727 struct sockopt_data *sd) 728 { 729 ipfw_obj_header *oh; 730 struct nptv6_cfg *cfg; 731 732 if (sd->valsize != sizeof(*oh)) 733 return (EINVAL); 734 735 oh = (ipfw_obj_header *)sd->kbuf; 736 if (ipfw_check_object_name_generic(oh->ntlv.name) != 0) 737 return (EINVAL); 738 739 IPFW_UH_WLOCK(ch); 740 cfg = nptv6_find(CHAIN_TO_SRV(ch), oh->ntlv.name, oh->ntlv.set); 741 if (cfg == NULL) { 742 IPFW_UH_WUNLOCK(ch); 743 return (ESRCH); 744 } 745 if (cfg->no.refcnt > 0) { 746 IPFW_UH_WUNLOCK(ch); 747 return (EBUSY); 748 } 749 750 ipfw_reset_eaction_instance(ch, V_nptv6_eid, cfg->no.kidx); 751 SRV_OBJECT(ch, cfg->no.kidx) = NULL; 752 ipfw_objhash_del(CHAIN_TO_SRV(ch), &cfg->no); 753 ipfw_objhash_free_idx(CHAIN_TO_SRV(ch), cfg->no.kidx); 754 IPFW_UH_WUNLOCK(ch); 755 756 nptv6_free_config(cfg); 757 return (0); 758 } 759 760 /* 761 * Get or change nptv6 instance config. 762 * Request: [ ipfw_obj_header [ ipfw_nptv6_cfg ] ] 763 */ 764 static int 765 nptv6_config(struct ip_fw_chain *chain, ip_fw3_opheader *op, 766 struct sockopt_data *sd) 767 { 768 769 return (EOPNOTSUPP); 770 } 771 772 /* 773 * Lists all NPTv6 instances currently available in kernel. 774 * Data layout (v0)(current): 775 * Request: [ ipfw_obj_lheader ] 776 * Reply: [ ipfw_obj_lheader ipfw_nptv6_cfg x N ] 777 * 778 * Returns 0 on success 779 */ 780 static int 781 nptv6_list(struct ip_fw_chain *ch, ip_fw3_opheader *op3, 782 struct sockopt_data *sd) 783 { 784 ipfw_obj_lheader *olh; 785 struct nptv6_dump_arg da; 786 787 /* Check minimum header size */ 788 if (sd->valsize < sizeof(ipfw_obj_lheader)) 789 return (EINVAL); 790 791 olh = (ipfw_obj_lheader *)ipfw_get_sopt_header(sd, sizeof(*olh)); 792 793 IPFW_UH_RLOCK(ch); 794 olh->count = ipfw_objhash_count_type(CHAIN_TO_SRV(ch), 795 IPFW_TLV_NPTV6_NAME); 796 olh->objsize = sizeof(ipfw_nptv6_cfg); 797 olh->size = sizeof(*olh) + olh->count * olh->objsize; 798 799 if (sd->valsize < olh->size) { 800 IPFW_UH_RUNLOCK(ch); 801 return (ENOMEM); 802 } 803 memset(&da, 0, sizeof(da)); 804 da.ch = ch; 805 da.sd = sd; 806 ipfw_objhash_foreach_type(CHAIN_TO_SRV(ch), export_config_cb, 807 &da, IPFW_TLV_NPTV6_NAME); 808 IPFW_UH_RUNLOCK(ch); 809 810 return (0); 811 } 812 813 #define __COPY_STAT_FIELD(_cfg, _stats, _field) \ 814 (_stats)->_field = NPTV6STAT_FETCH(_cfg, _field) 815 static void 816 export_stats(struct ip_fw_chain *ch, struct nptv6_cfg *cfg, 817 struct ipfw_nptv6_stats *stats) 818 { 819 820 __COPY_STAT_FIELD(cfg, stats, in2ex); 821 __COPY_STAT_FIELD(cfg, stats, ex2in); 822 __COPY_STAT_FIELD(cfg, stats, dropped); 823 } 824 825 /* 826 * Get NPTv6 statistics. 827 * Data layout (v0)(current): 828 * Request: [ ipfw_obj_header ] 829 * Reply: [ ipfw_obj_header ipfw_obj_ctlv [ uint64_t x N ]] 830 * 831 * Returns 0 on success 832 */ 833 static int 834 nptv6_stats(struct ip_fw_chain *ch, ip_fw3_opheader *op, 835 struct sockopt_data *sd) 836 { 837 struct ipfw_nptv6_stats stats; 838 struct nptv6_cfg *cfg; 839 ipfw_obj_header *oh; 840 ipfw_obj_ctlv *ctlv; 841 size_t sz; 842 843 sz = sizeof(ipfw_obj_header) + sizeof(ipfw_obj_ctlv) + sizeof(stats); 844 if (sd->valsize % sizeof(uint64_t)) 845 return (EINVAL); 846 if (sd->valsize < sz) 847 return (ENOMEM); 848 oh = (ipfw_obj_header *)ipfw_get_sopt_header(sd, sz); 849 if (oh == NULL) 850 return (EINVAL); 851 if (ipfw_check_object_name_generic(oh->ntlv.name) != 0 || 852 oh->ntlv.set >= IPFW_MAX_SETS) 853 return (EINVAL); 854 memset(&stats, 0, sizeof(stats)); 855 856 IPFW_UH_RLOCK(ch); 857 cfg = nptv6_find(CHAIN_TO_SRV(ch), oh->ntlv.name, oh->ntlv.set); 858 if (cfg == NULL) { 859 IPFW_UH_RUNLOCK(ch); 860 return (ESRCH); 861 } 862 export_stats(ch, cfg, &stats); 863 IPFW_UH_RUNLOCK(ch); 864 865 ctlv = (ipfw_obj_ctlv *)(oh + 1); 866 memset(ctlv, 0, sizeof(*ctlv)); 867 ctlv->head.type = IPFW_TLV_COUNTERS; 868 ctlv->head.length = sz - sizeof(ipfw_obj_header); 869 ctlv->count = sizeof(stats) / sizeof(uint64_t); 870 ctlv->objsize = sizeof(uint64_t); 871 ctlv->version = 1; 872 memcpy(ctlv + 1, &stats, sizeof(stats)); 873 return (0); 874 } 875 876 /* 877 * Reset NPTv6 statistics. 878 * Data layout (v0)(current): 879 * Request: [ ipfw_obj_header ] 880 * 881 * Returns 0 on success 882 */ 883 static int 884 nptv6_reset_stats(struct ip_fw_chain *ch, ip_fw3_opheader *op, 885 struct sockopt_data *sd) 886 { 887 struct nptv6_cfg *cfg; 888 ipfw_obj_header *oh; 889 890 if (sd->valsize != sizeof(*oh)) 891 return (EINVAL); 892 oh = (ipfw_obj_header *)sd->kbuf; 893 if (ipfw_check_object_name_generic(oh->ntlv.name) != 0 || 894 oh->ntlv.set >= IPFW_MAX_SETS) 895 return (EINVAL); 896 897 IPFW_UH_WLOCK(ch); 898 cfg = nptv6_find(CHAIN_TO_SRV(ch), oh->ntlv.name, oh->ntlv.set); 899 if (cfg == NULL) { 900 IPFW_UH_WUNLOCK(ch); 901 return (ESRCH); 902 } 903 COUNTER_ARRAY_ZERO(cfg->stats, NPTV6STATS); 904 IPFW_UH_WUNLOCK(ch); 905 return (0); 906 } 907 908 static struct ipfw_sopt_handler scodes[] = { 909 { IP_FW_NPTV6_CREATE, 0, HDIR_SET, nptv6_create }, 910 { IP_FW_NPTV6_DESTROY,0, HDIR_SET, nptv6_destroy }, 911 { IP_FW_NPTV6_CONFIG, 0, HDIR_BOTH, nptv6_config }, 912 { IP_FW_NPTV6_LIST, 0, HDIR_GET, nptv6_list }, 913 { IP_FW_NPTV6_STATS, 0, HDIR_GET, nptv6_stats }, 914 { IP_FW_NPTV6_RESET_STATS,0, HDIR_SET, nptv6_reset_stats }, 915 }; 916 917 static int 918 nptv6_classify(ipfw_insn *cmd, uint16_t *puidx, uint8_t *ptype) 919 { 920 ipfw_insn *icmd; 921 922 icmd = cmd - 1; 923 NPTV6_DEBUG("opcode %d, arg1 %d, opcode0 %d, arg1 %d", 924 cmd->opcode, cmd->arg1, icmd->opcode, icmd->arg1); 925 if (icmd->opcode != O_EXTERNAL_ACTION || 926 icmd->arg1 != V_nptv6_eid) 927 return (1); 928 929 *puidx = cmd->arg1; 930 *ptype = 0; 931 return (0); 932 } 933 934 static void 935 nptv6_update_arg1(ipfw_insn *cmd, uint16_t idx) 936 { 937 938 cmd->arg1 = idx; 939 NPTV6_DEBUG("opcode %d, arg1 -> %d", cmd->opcode, cmd->arg1); 940 } 941 942 static int 943 nptv6_findbyname(struct ip_fw_chain *ch, struct tid_info *ti, 944 struct named_object **pno) 945 { 946 int err; 947 948 err = ipfw_objhash_find_type(CHAIN_TO_SRV(ch), ti, 949 IPFW_TLV_NPTV6_NAME, pno); 950 NPTV6_DEBUG("uidx %u, type %u, err %d", ti->uidx, ti->type, err); 951 return (err); 952 } 953 954 static struct named_object * 955 nptv6_findbykidx(struct ip_fw_chain *ch, uint16_t idx) 956 { 957 struct namedobj_instance *ni; 958 struct named_object *no; 959 960 IPFW_UH_WLOCK_ASSERT(ch); 961 ni = CHAIN_TO_SRV(ch); 962 no = ipfw_objhash_lookup_kidx(ni, idx); 963 KASSERT(no != NULL, ("NPT with index %d not found", idx)); 964 965 NPTV6_DEBUG("kidx %u -> %s", idx, no->name); 966 return (no); 967 } 968 969 static int 970 nptv6_manage_sets(struct ip_fw_chain *ch, uint16_t set, uint8_t new_set, 971 enum ipfw_sets_cmd cmd) 972 { 973 974 return (ipfw_obj_manage_sets(CHAIN_TO_SRV(ch), IPFW_TLV_NPTV6_NAME, 975 set, new_set, cmd)); 976 } 977 978 static struct opcode_obj_rewrite opcodes[] = { 979 { 980 .opcode = O_EXTERNAL_INSTANCE, 981 .etlv = IPFW_TLV_EACTION /* just show it isn't table */, 982 .classifier = nptv6_classify, 983 .update = nptv6_update_arg1, 984 .find_byname = nptv6_findbyname, 985 .find_bykidx = nptv6_findbykidx, 986 .manage_sets = nptv6_manage_sets, 987 }, 988 }; 989 990 static int 991 destroy_config_cb(struct namedobj_instance *ni, struct named_object *no, 992 void *arg) 993 { 994 struct nptv6_cfg *cfg; 995 struct ip_fw_chain *ch; 996 997 ch = (struct ip_fw_chain *)arg; 998 IPFW_UH_WLOCK_ASSERT(ch); 999 1000 cfg = (struct nptv6_cfg *)SRV_OBJECT(ch, no->kidx); 1001 SRV_OBJECT(ch, no->kidx) = NULL; 1002 ipfw_objhash_del(ni, &cfg->no); 1003 ipfw_objhash_free_idx(ni, cfg->no.kidx); 1004 nptv6_free_config(cfg); 1005 return (0); 1006 } 1007 1008 int 1009 nptv6_init(struct ip_fw_chain *ch, int first) 1010 { 1011 1012 V_nptv6_eid = ipfw_add_eaction(ch, ipfw_nptv6, "nptv6"); 1013 if (V_nptv6_eid == 0) 1014 return (ENXIO); 1015 IPFW_ADD_SOPT_HANDLER(first, scodes); 1016 IPFW_ADD_OBJ_REWRITER(first, opcodes); 1017 return (0); 1018 } 1019 1020 void 1021 nptv6_uninit(struct ip_fw_chain *ch, int last) 1022 { 1023 1024 if (last && nptv6_ifaddr_event != NULL) 1025 EVENTHANDLER_DEREGISTER(ifaddr_event_ext, nptv6_ifaddr_event); 1026 IPFW_DEL_OBJ_REWRITER(last, opcodes); 1027 IPFW_DEL_SOPT_HANDLER(last, scodes); 1028 ipfw_del_eaction(ch, V_nptv6_eid); 1029 /* 1030 * Since we already have deregistered external action, 1031 * our named objects become unaccessible via rules, because 1032 * all rules were truncated by ipfw_del_eaction(). 1033 * So, we can unlink and destroy our named objects without holding 1034 * IPFW_WLOCK(). 1035 */ 1036 IPFW_UH_WLOCK(ch); 1037 ipfw_objhash_foreach_type(CHAIN_TO_SRV(ch), destroy_config_cb, ch, 1038 IPFW_TLV_NPTV6_NAME); 1039 V_nptv6_eid = 0; 1040 IPFW_UH_WUNLOCK(ch); 1041 } 1042 1043